000034481 - How to configure RSA NetWitness server to send FQDN in EHLO response

Document created by RSA Customer Support Employee on Dec 1, 2016Last modified by RSA Customer Support on Apr 17, 2019
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000034481
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: SA Security Analytics Server
RSA Version/Condition: 10.6.x and 11.x
Platform: CentOS
O/S Version: 6 and 7 
IssueSA server fails to send any notification email even after configuring Global Notification with the correct SMTP setting.

Mail server is configured to accept only FQDN but monitoring the packets with tcpdump shows that SA server sends hostname instead of FQDN in EHLO response as shown below.

E.g. TestServer is shown instead of TestServer.test.local

05:34:23.842234 IP x.x.x.x.42635 > Flags [P.], seq 1:18, ack 115, win 115, length 17
        0x0000:  4500 0039 4f50 4000 4006 86b2 0a3e 1f8c  E..9OP@.@....>..
        0x0010:  0a6a 3089 a68b 0019 ae27 17d8 25d5 592a  .j0......'..%.Y*
        0x0020:  5018 0073 64e8 0000 4548 4c4f 2011 512a  P..sd...EHLO.Test
        0x0030:  4733 5121 2312 420d 0a                   Server..

ResolutionBy default, postfix uses the hostname of the SA server in EHLO response.
In order to resolve the issue, follow the user guide to change the hostname of the SA server to FQDN.
--Version 10.x
After following the User Guide to change the hostname, please modify /etc/puppet/csr_attributes.yaml on the SA server to update the hostname with FQDN and reboot the SA server host.

If on version 11.x please contact support for assistance with changing the hostname.